Prevent the Past from Becoming the Future

Discussion of Issues

Based on responses from 503 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the 2002 Computer Crime and Security Survey confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting. Highlights of the survey include:

• 90% of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months.

• 80% acknowledged financial losses due to computer breaches.

• 44% were willing and/or able to quantify their financial losses, which amounted to $455,848,000.

• As in previous years, the most serious financial losses occurred through theft of proprietary information (26 respondents reported a total of $170,827,000) and financial fraud (25 respondents reported a total of $115,753,000).

• For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).

• 34% reported the intrusions to law enforcement. (In 1996, only 16% acknowledged reporting intrusions to law enforcement.)

Once again, to prevent the past from becoming the future, truly complete security must protect three areas:

1. Internal network and application services. Typically this is the internal network infrastructure, designed to support transfer and manipulation of internal business information. It consists of internal business application servers, workstations, printers and internal network access devices.

2. Perimeter network access and application services. This is the bridge between internal and external systems and typically acts as the'traffic cop' allowing or disallowing entry into the internal network.

   Perimeter defense security is usually in the form of firewalls, proxy servers, intrusion detection systems, VPN and other similar services. When properly configured, perimeter defense security models prevent or detect attacks and reduce the risk to critical back-end systems from external attacks. Most companies and the trade press focus on this type of security, largely ignoring threats that come from within the company.

3. External network and services. Generally referred to as the Internet, this network provides access into suppliers' networks or customer access to the company's network. It is an ungoverned and unprotected network with many access points.

External network security services take on an added dimension with e-commerce. A truly staggering number of small e-commerce ventures don't employ secure Web pages (SSL) at checkout. And then there are the sites that obtain orders using a fully secured, 128-bit encrypted connection, but then e-mail the orders to the storeowner without any encryption! This is inherently dangerous, since e-mail messages are easy to monitor and are generally sent in clear text format. It is also dishonest to the customers who believe their secure transaction is being maintained.